Versions Compared
Key
- This line was added.
- This line was removed.
- Formatting was changed.
Privileged Session Manager (PSM) is an application cluster used to access, record, and monitor privileged sessions. It can be hosted as a Docker Swarm on local or cloud service locations. It launches when users with Login Session Access to a managed computer check out the credentials for that computer. You can configure PSM to record session activity, allowing Access Managers and other administrators to view what users do on the computer during a session.
This topic walks you through the process of setting up PSM. To completely set up PSM, you need to do the following:
Install Docker and Docker-Compose on a Linux server. The Linux server is the PSM server.
Create an OAuth application for PSM in EmpowerID.
Configure EmpowerID System Settings for PSM.
Generate a X509 certificate for the PSM OAuth application and upload it to the local machine and EmpowerID certificate stores.
Create a service account (EmpowerID Person) for PSM and map the certificate to that service account.
Use OpenSSL to extract the private and public key from the certificate.
Create Docker secrets on the PSM server.
Copy the psm.yml file you receive from EmpowerID to the root directory of the Linux server.
Initiate Docker swarm mode on the Linux server.
Pull the PSM Docker images from Dockerhub.
Deploy the stack.
Note |
---|
To comply with European Union GDPR (General Data Protection Regulation) that was implemented on May 25, 2018, you must do one of two things:
|
Info |
---|
To set up PSM, you must have a good understanding of containerization technologies and their advantages, the Docker Command Line and Docker Container Management System. If you are not familiar with Docker, the following resources may be helpful: What is Docker? What is Docker Hub? What is Docker swarm? In addition to understanding Docker, you must have access to the below PSM Docker images:
OpenSSL OpenSSL is needed to extract the KEY from the certificate you will generate and map the Service Account used for PSM. If you do not have OpenSSL installed, you can do so by following the instructions provided here: |
PSM Server Installation Instructions
PSM Server requires a Linux instance (Amazon AMI/Ubuntu preferred). Follow the below instructions to install Docker and Docker-Compose on the server.
Ubuntu — Run the following commands one after the other:
Code Block language text sudo apt-get remove docker docker-engine docker.io containerd runc curl =fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-get add - sudo apt-get update sudo apt-get install -y docker-ce sudo systemctl status docker
Amazon AMI — If you are running Linux on Amazon AMI, please follow the instructions provided by Amazon at the following link: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/docker-basics.html#install_docker
EmpowerID Server Setup Instructions
In order to implement PSM for your environment, there are a number of tasks you must complete on your EmpowerID server. These include:
Creating an OAuth Application for PSM
Configuring EmpowerID System Settings for PSM
Generating an a self-signed X509 certificate for PSM
Creating a PSM Service Account service account (EmpowerID Person)
Mapping the PSM certificate to that Person
PSM service account
Step 1 – Create an OAuth Application for PSM
From the navigation sidebar of the EmpowerID Web interfaceOn the navbar, expand Single Sign-On and click Applications.
From the Actions pane, click Create OAuth Application.
Image AddedIn the OAuth Application Details section of the form, do the following:
Fill in the Name, Display Name and Description fields with values that reflect the purpose of the application.
Select Active from the Application Status drop-down.
Select Web Application from the Application Type drop-down.Leave all other fields as is.
Image Removed
Scroll to the JWT Details section of the form and select the certificate used to sign assertions in your environment from the Signing Certificate drop-down.
Click Save.Scroll to the
Add the Callback URLs
section of the form and add Callback URLs for the application by doing the following:Click the Add button located to the left of Callback URL.Image RemovedIn the Details pane that appears, type the
to the app
On the navbar, expand Single Sign-On > SSO Connections and select OAuth / OpenID Connect.
Search for the application you just created and click the Name link for it.
Image AddedExpand the Callback URLs accordion and click the Add button.
Image AddedEnter the FQDN of your EmpowerID server
in thein the Callback URL
fieldfield and
then clickclick Save.
Image RemovedClick
thethe Add
buttonbutton again and add a second
Callbackcallback URL, formatted
asas
Authhttps://yourserver/WebIdPForms/
OAuth/v2
.Save your changes.
Image RemovedScroll to the bottom of the page and click Save to save the application.
From
Add a client secret to the app
On the View One page for the application, expand the Client Secrets accordion and click the Add button.
Image AddedIn the General dialog that appears, do the following:
Name – Name of the secret
Expires – Select one of the below options:
I year
2 years
Never
Client Secret – Copy and save this value as you will use it when creating Docker secrets later in this article. Be sure to save the Client Secret value before you closing the dialog as you will not be able to retrieve it afterwards.
On the View One page for the application, copy the values for the Client ID, Client API Secret, API Key and OAuthProviderApplicationID. You will use these when creating Docker secrets later in this topic.
Image RemovedImage Added
Configuring EmpowerID System Settings for PSM
From On the navigation sidebarnavbar, expand Infrastructure Admin > EmpowerID Servers and Settings and click select EmpowerID System Settings.
From On the EmpowerID System Settings page, search for psm.
Image Added
Image RemovedFor each setting relevant to your implementation of PSM, click the Edit button and specify the value for your environment.
Image RemovedImage AddedThe below table shows the EmpowerID Systems Settings for PSM.
Insert excerpt IL:PSM Settings Table IL:PSM Settings Table nopanel true
Generate a self-signed certificate for PSM
From File Explorer, navigate to the EmpowerID installation directory, located by default at
C:\Program Files\TheDotNetFactory\EmpowerID
.Open the Programs folder and locate the
EmpowerID.CertificateManager.exe
file.Open the application and click the Generate tab.
Image RemovedSelect X509 Certificate.
Image RemovedChange the Subject Name from CN=EmpowerID Self-signed Certificate to something more On the navbar, expand Single Sign-On > SSO Connections and select SSO Components.
Select the Certificates tab and then click the Add button in the grid header.
Image AddedSelect Generate Self-Signed Certificate and enter the following information:
Certificate Owner – Search for and select an EmpowerID Person
Prefer Local Machine Store – Select this option
Subject Name – Enter something suitable to the purpose of the certificate, such
as CN=PSM_
Certificate
Enter a Password in the Password field.
Click the Browse button, browse to an Output Folder and click OK.
Select the Import to EmpowerID Certificate Store option.
Select the Import to Local Certificate Store option.
Click Generate.
Image RemovedOnce the EmpowerID generates the certificate, you should see the Certificate Information pane.Image Removed
Creating a PSM Service Account (EmpowerID Person)
Requires Password – Select this option
Certificate Password – Enter a password for the certificate
Click Save to create the certificate.
Image Added
Create the PSM Service Account
On the navbar, expand Identity Administration and click People.
Click the Create Person Simple Mode action link.
Image AddedIn the Create Person Request form that appears, enter a First Name and Last Name for the Person account. As a best practice, the name should reflect the purpose of the Person account.
Image RemovedClick the Select a Role and Location link.
Search for and select the desired Business Role from the Business Role for the Person and then click the node for that role.
Image Removedtree.
Click the Location - link and then search for and select the desired location from the Location tree.
Image RemovedClick Select to select the Business Role and Location.
Click Save to save the new Person account.
Image RemovedImage Added
Next, map the PSM certificate to the Person as outlined below.
Map the PSM Certificate
From On the View page for the Person you just created, expand the Roles, Accounts, and Login Security accordion.
Click the Edit link in the Mapped Login Certificates pane.
Image RemovedImage AddedSearch for and select the PSM certificate you generated earlier .Click and then click Save.
Image Removed
Extract the Key from the PFX File
To extract the private key, run the below OpenSSL command:
Code Block openssl pkcs12 -in <filename>.pfx -nocerts -nodes -out key.pem
To extract the certificate (public key), run the OpenSSL command:
Code Block openssl pkcs12 -in <filename>.pfx -nokeys -out cert.pem
Create Docker Secrets and Keys on the PSM Server
You will need to create the following secrets and keys:
Secrets | Description |
---|---|
PSM_EID_OAUTH_CLIENT_SECRET | The OAuth Client Secret of the OAuth application used to authenticate the PSM Uploader application |
PSM_EID_OAUTH_CLIENT_ID | The OAuth Client ID of the OAuth application used to authenticate the PSM Uploader application |
PSM_EID_OAUTH_API_KEY | The OAuth API Key of the OAuth application used to authenticate the PSM Uploader application |
PSM_EID_SRV_ACCT_CERT_THMB | The Thumbprint of the certificate attached to the service user(Uploader Service account) for PSM in EmpowerID |
PSM_EID_OAUTH_JWT_PFX | The Pfx of the certificate attached to the service user(Uploader Service account) for PSM in EmpowerID |
PSM_EID_OAUTH_JWT_KEY | The JWT Key used to sign the payload with (Uploader) |
PSM_EID_OAUTH_JWT_KEY_PASSPHRASE | Passphrase to the JWT Key used to sign the request payload with (Uploader) |
PSM_SSL_PUB_CERT | PSM Application server SSL certificate (Public Cert) |
PSM_SSL_PRIV_PEM | PSM Application server SSL certificate (Private Key) |
PSM_SSL_PRIV_PEM_PW | PSM Application server SSL Private Key password |
PSM_DAEMON_SERVER_CRYPTKEY | PSM Application – Daemon communication Cryptkey (needs to be the same as the PSM_GUAC_SERVER_CRYPTKEY) |
PSM_GUAC_SERVER_CRYPTKEY | PSM Application – Daemon communication Cryptkey (needs to be the same as the PSM_ DAEMON_SERVER_CRYPTKEY) |
PSM_AWS_ACCESS_KEY_ID | AWS Access Key ID for S3 recording storage |
PSM_AWS_ACCESS_KEY_SECRET | AWS Access Key Secret for S3 recording storage |
PSM_AZURE_STORAGE_ACCOUNT | Azure Storage account name for recording storage |
PSM_AZURE_STORAGE_ACCESS_KEY | Azure Storage account access key for recording storage |
PSM_AZURE_CONTAINER_NAME | Azure container name where recordings are stored |
REMOTE_UNC_USERNAME | Remote UNC location (Shared Folder) Credential Username (For local UNC storage of session recordings) |
REMOTE_UNC_DOMAIN | Remote UNC location (Shared Folder) Credential Domain |
REMOTE_UNC_PASSWORD | Remote UNC location (Shared Folder) Credential Password |
Keys | Default Value | Description |
---|---|---|
PSM_UPLOADER_SERVICE_URL | https://upload eruploader.{your eid dns name}.co | The URL to the uploader service |
PSM_EID_OAUTH_GRANT_TYPE | urn:ietf:param s:oauth:granttype:jwtbearer | The OAuth Grant Type used to authenticate the uploader with EID. Do not change the value |
PSM_EID_OAUTH_CALLBACK_URL | https/ | The EmpowerID Server URL |
PSM_UPLOAD_TYPE | AZURE | The cloud storage service option (AZURE/AWS) |
PSM_EID_SERVER_AUTHENTICATION_URL | https://{dns_of_your_empowerid_server}/oauth/v2 /token | Temporary local storage for recordings on the Application Server |
PSM_STORAGE_SHARE_LOCATION | /recording | |
OAUTH_AUTHENTICATION_SERVICE_URL | https://{dns_of_your_empowerid_server}/oauth/v2 /userinfo | |
FAILURE_RETRIES_INTERVAL | 5000 | Retry interval for a failed session recording upload (milliseconds) |
FAILURE_RETRIES_COUNT | 5 | Number of retries for a failed session recording upload |
PSM_DAEMON_SERVER_PORT | 4822 | Daemon port |
REMOTE_UNC_SHARE_LOCATION | /{IP}/recording | Shared folder location for remote UNC Storage |
REMOTE_UNC_PORT | 445 | Remote UNC port number to the shared folder location |
PSM_UNC_SHARE_LOCATION | /recording | Temporary local storage on the Uploader service container |
PSM_AZURE_CONTAINER_NAME | Azure Storage container name | |
PSM_AWS_REGION | AWS region | |
PSM_AWS_BUCKET_NAME | AWS storage bucket name |
Expand | |||
---|---|---|---|
| |||
The below examples demonstrate how to create Docker secrets for each of the types used by PSM.
|
Edit the Docker Stack YAML File
Copy the psm.yml file you received from EmpowerID to the root directory of the Linux server.
Edit the values as needed for your implementation.
Save the psm.yml file.
Deploying the Docker Stack
Initiate swarm mode by running
docker swarm init
.Pull the PSM Docker images from Docker Hub using the account EmpowerID support provisioned for you.
Run the following command to deploy the stack:
Code Block docker stack deploy --with-registry-auth -c psm.yml psm
Verify the Docker containers are running by using the command
docker ps
.
Style | ||
---|---|---|
| ||
Expand | ||
Related
ContentTasks
Creating Privileged Session Policies
Computer and Service Management
Checking Out Credentials and Initiating an RDP Session
Viewing Privileged Session Details
ReferenceDiv | ||||||
---|---|---|---|---|---|---|
| ||||||
IN THIS ARTICLE
|